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Probabilistic Thread Algebra 


J.A. BERGSTRA!, C.A. MIDDELBURG! 


Abstract 


We add probabilistic features to basic thread algebra and its exten- 
sions with thread-service interaction and strategic interleaving. Here, 
threads represent the behaviours produced by instruction sequences 
under execution and services represent the behaviours exhibited by the 
components of execution environments of instruction sequences. In a 
paper concerned with probabilistic instruction sequences, we proposed 
several kinds of probabilistic instructions and gave an informal explana- 
tion for each of them. The probabilistic features added to the extension 
of basic thread algebra with thread-service interaction make it possible 
to give a formal explanation in terms of non-probabilistic instructions 
and probabilistic services. The probabilistic features added to the 
extensions of basic thread algebra with strategic interleaving make it 
possible to cover strategies corresponding to probabilistic scheduling 
algorithms. 


Keywords: basic thread algebra, probabilistic thread, probabilistic 
service, probabilistic interleaving strategy, probabilistic instruction. 


1 Introduction 


In [6], an approach to the semantics of programming languages was presented 
which is based on the perspective that a program is in essence an instruction 
sequence. The groundwork for the approach is formed by PGA (ProGram 
Algebra), an algebraic theory of single-pass instruction sequences, and BTA 
(Basic Thread Algebra), an algebraic theory of mathematical objects that 
represent the behaviours produced by instruction sequences under execution 
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(for a comprehensive introduction to these algebraic theories, see [15]). To 
increase the applicability of the approach, BTA was extended with thread- 
service interaction in [16]. In the setting of BTA and its extension with 
thread-service interaction, threads are mathematical objects that represent 
the behaviours produced by instruction sequences under execution and 
services are mathematical objects that represent the behaviours exhibited 
by components of execution environments of instruction sequences. 


As a continuation of the work presented in [6, 16], (a) the notion of 
an instruction sequence was subjected to systematic and precise analysis 
using the groundwork laid earlier, (b) various issues, including issues relating 
to computability and complexity of computational problems, efficiency of 
algorithms, and verification of programs, were rigorously investigated think- 
ing in terms of instruction sequences (for a comprehensive survey of a large 
part of the work referred to under (a) and (b), see [15]), and (c) the form of 
interleaving concurrency that is relevant to the behaviours of multi-threaded 
programs under execution, called strategic interleaving in the setting of BTA, 
was rigorously investigated by means of extensions of BTA (see e.g. [8, 9, 10]). 


In the course of the work referred to above under (b), we ran into the 
problem that BTA and its extension with thread-service interaction do not 
allow issues relating to probabilistic computation to be investigated thinking 
in terms of instruction sequences. In the course of the work referred to 
above under (c), we ran into the problem that BTA also does not allow 
probabilistic strategic interleaving to be investigated by means of extensions 
of BTA. This paper concerns the addition of features to BTA and its 
extensions with thread-service interaction and strategic interleaving that 
will take away these limitations. 


We consider it important to take probabilistic computation into account 
in future investigations. The primary reasons for this are the following: 
(a) the existence of probabilistic algorithms that are highly efficient, possibly 
at the cost of a probability of correctness less than one (e.g. primality 
testing, see [28]); (b) the existence of probabilistic algorithms for which no 
deterministic counterparts exist (e.g. symmetry breaking, see [25]); (c) the 
gradually created evidence for the hypothesis that it is relevant for a diversity 
of issues in computer science and engineering to think in terms of instruction 
sequences. This constitutes the basis of our motivation for the work presented 
in this paper. 

In [12], we gave an enumeration of kinds of probabilistic instructions 
that were chosen on the basis of direct intuitions and therefore not necessarily 
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the best kinds in any sense. We only gave an informal explanation for each 
of the enumerated kinds because we considered it premature at the time 
to add probabilistic features to BTA that would make it possible to give 
a formal explanation. We were doubtful whether the ad hoc addition of 
features to BTA was the right way to go. 


Later, we have found that the ramification of semantic options with the 
addition of probabilistic features to BTA is well surveyable because of (a) the 
limitation of the scope to behaviours produced by instruction sequences 
under execution and (b) the semantic constraints brought about by the 
informal explanations of the kinds of probabilistic instructions enumerated 
in [12] and the desired elimination property of all but one kind. In the case 
of a general process algebra, such as ACP [3], CCS [26] or CSP [23], the 
ramification becomes much more complex, particularly because a limitation 
of the scope to behaviours of a special kind is lacking. In this paper, we add 
probabilistic features to BTA and an extension of BTA with thread-service 
interaction. 


The probabilistic features added to the extension of BTA with thread- 
service interaction make it possible to give a formal explanation for each 
of the kinds of probabilistic instructions enumerated in [12] in terms of 
non-probabilistic instructions and probabilistic services. To demonstrate 
this, we add the kind of probabilistic instructions that cannot be eliminated 
to PGLB (ProGramming Language B), a program notation rooted in PGA 
and close to existing assembly languages, and give a formal definition of 
the behaviours produced by the instruction sequences from the resulting 
program notation. We opted for PGLB because in the past it has proved 
itself suitable for the investigation of various issues. The added kind of 
probabilistic instructions allow probabilistic choices to be made during the 
execution of instruction sequences. 


In [8] and subsequent papers, we extended BTA with kinds of in- 
terleaving where interleaving takes place according to some deterministic 
interleaving strategy. Interleaving strategies are abstractions of schedul- 
ing algorithms. Interleaving according to an interleaving strategy differs 
from arbitrary interleaving, but it is what really happens in the case of 
multi-threading as found in programming languages such as Java [20] and 
C# [22]. The extension of BTA with a probabilistic feature does not only 
allow of probabilistic services, but also allows of probabilistic interleaving 
strategies. In this paper, we also generalize the extensions of BTA with 
specific kinds of deterministic strategic interleaving to an extension for a 
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large class of kinds of deterministic and probabilistic strategic interleaving. 
Thus, strategies corresponding to probabilistic scheduling algorithms such 
as the lottery scheduling algorithm [33] are covered. 

The main results of this paper are probabilistic versions of BTA and 
its extensions with thread-service interaction and strategic interleaving 
which pave the way for (a) investigation of issues related to probabilistic 
computation thinking in terms of instruction sequences and (b) investigation 
of probabilistic interleaving strategies. 

In this paper, we take functions whose range is the carrier of a signed 
cancellation meadow as probability measures. In [18], meadows are proposed 
as alternatives for fields with a purely equational axiomatization. A meadow 
is a commutative ring with a multiplicative identity element and a total 
multiplicative inverse operation satisfying two equations which imply that 
the multiplicative inverse of zero is zero. A cancellation meadow is a field 
whose multiplicative inverse operation is made total by imposing that the 
multiplicative inverse of zero is zero, and a signed cancellation meadow is 
a cancellation meadow expanded with a signum operation. In [17], Kol- 
mogorov’s probability axioms for finitely additive probability spaces are 
rephrased for the case where probability measures are functions whose range 
is the carrier of a signed cancellation meadow. 

This paper is organized as follows. First, we review signed cancellation 
meadows (Section 2). Next, we add probabilistic features to BTA and 
an extension of BTA with thread-service interaction (Sections 3 and 4). 
Then, we add a kind of probabilistic instructions to PGLB (Section 5). 
Following this, we add probabilistic features to the extensions of BTA with 
strategic interleaving (Section 6). Finally, we make some concluding remarks 
(Section 7). 

It should be mentioned that BTA is introduced in [6] under the name 
BPPA (Basic Polarized Process Algebra) and services are called state ma- 
chines in [16]. 


2 Signed Cancellation Meadows 


We will take functions whose range is the carrier of a signed cancellation 
meadow as probability measures. Therefore, we review signed cancellation 
meadows in this section. 

In [18], meadows are proposed as alternatives for fields with a purely 
equational axiomatization. A meadow is a commutative ring with a mul- 
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tiplicative identity element and a total multiplicative inverse operation 
satisfying two equations which imply that the multiplicative inverse of zero is 
zero. Thus, all meadows are total algebras and the class of all meadows is a 
variety. At the basis of meadows lies the decision to make the multiplicative 
inverse operation total by imposing that the multiplicative inverse of zero 
is zero. All fields in which the multiplicative inverse of zero is zero, called 
zero-totalized fields, are meadows, but not conversely. 

A cancellation meadow is a meadow that satisfies the cancellation axiom 
cAFOAL-Y=H=U-Z y = z. The zero-totalized fields are exactly the 
cancellation meadows that satisfy in addition the separation ariom 0 £ 1. 
A paradigmatic example of cancellation meadows is the field of rational 
numbers with the multiplicative inverse operation made total by imposing 
that the multiplicative inverse of zero is zero (see e.g. [18]). An example 
of a meadow that is not a zero-totalized field is the initial algebra of the 
equational axiomatization of meadows (see e.g. [5]). 


A signed cancellation meadow is a cancellation meadow expanded with 
a signum operation. The usefulness of the signum operation lies in the fact 
that the predicates < and < can be defined using this operation (see below). 

The signature of signed cancellation meadows consists of the following 
constants and operators: the constants 0 and 1, the binary addition operator 
+ , the binary multiplication operator -, the unary additive inverse operator 
—, the unary multiplicative inverse operator ~', and the unary signum 
operator s. 

Terms are built as usual. We use infix notation for the binary operators 
+ and -, prefix notation for the unary operator —, and postfix notation for 
the unary operator ~!. We use the usual precedence convention to reduce the 
need for parentheses. We introduce subtraction and division as abbreviations: 
t —t' abbreviates t + (—t’) and t/t’ abbreviates t- (t/~*). 

The constants and operators from the signature of signed cancellation 
meadows are adopted from rational arithmetic, which gives an appropriate 
intuition about these constants and operators. 

Signed cancellation meadows are axiomatized by the equations in Ta- 
bles 1 and 2 and the above-mentioned cancellation axiom. The axioms for 
the signum operator stem from [4]. 

The predicates < and < are defined in signed cancellation meadows as 
follows: ¢<y & s(y—z)=landa<y © s(s(y—z) +1) =1. Because 
s(s(y— 2) +1) 4-1, we have0<a2<1s s(s(x)4+1)-s(s(L—z)+1)=1. 
We will use this equivalence below to describe the set of probabilities. 
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Table 1: Axioms of a meadow 


(e+y)+z=2+(yt+2) (x-y)-z=a@-(y-z) (a")b =a 
x+y=ytu Ley=Y" a-(2-21)=¢@ 
z+0=2 e:-l=a2 

x+(-2x) =0 u-(ytz)=a-ytu-z 


Table 2: Additional axioms for the signum operator 


s(a/a) = v/a s(x~+) = s(z) 
s(l—a/ax) =1—a2/x s(a-y) = S(x)- S(y 
s(-1) =-1 (1 — $354) . (s(a + y) — s(x) = 0 


3 Probabilistic Basic Thread Algebra 


In this section, we introduce prBTA (probabilistic Basic Thread Algebra), 
a probabilistic version of BTA. The objects considered in BTA are called 
threads. In BTA, a thread represents a behaviour which consists of perform- 
ing actions in a deterministic sequential fashion. Upon each action performed, 
a reply from an execution environment determines how the thread proceeds. 
The possible replies are the values t and f. In prBTA, a thread represents a 
behaviour which consists of performing actions in a probabilistic sequential 
fashion. That is, performing actions may alternate with making internal 
choices according to discrete probability distributions. 

In the sequel, it is assumed that a fixed but arbitrary signed cancellation 
meadow Jt has been given. We denote the carrier of St by I! as well, and 
we denote the interpretations of the constants and operators in SJt by the 
constants and operators themselves. We write P for the set {am € IM | 
s(s(7) + 1)-s(s(1 — 7) + 1) = 1} of probabilities. 

In prBTA, it is moreover assumed that a fixed but arbitrary set A of 
basic actions, with tau ¢ A, has been given. In addition, there is the special 
action tau. Performing tau, which is considered performing an internal action, 
will always lead to the reply t. We write Atay for AU {tau} and refer to the 
members of Ajay as basic actions. 

The algebraic theory prBTA has one sort: the sort T of threads. We 
make this sort explicit to anticipate the need for many-sortedness later on. 
To build terms of sort T, prBTA has the following constants and operators: 
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e the inaction constant D:— T;? 
e the termination constant S:—- T; 


e for each a € Atay, the binary postconditional composition operator 
_dab_:Tx ToT; 


e for each 7 € P, the binary probabilistic composition operator _ +, _: 
Tx TOT. 


Terms of sort T are built as usual in the one-sorted case. We assume that 
there are infinitely many variables of sort T, including x,y,z. We use infix 
notation for postconditional composition and probabilistic composition. We 
introduce basic action prefizing as an abbreviation: aot, where t is a prBTA 
term, abbreviates t dat. We identify expressions of the form aot with 
the prBTA terms they stand for. 

The thread denoted by a closed term of the form t dal t’ will first 
perform a, and then proceed as the thread denoted by t if the reply from 
the execution environment is t and proceed as the thread denoted by t’ if 
the reply from the execution environment is f. The thread denoted by a 
closed term of the form t+, t’ will behave like the thread denoted by t 
with probability 7 and like the thread denoted by ¢’ with probability 1 — 7. 
The thread denoted by S will do no more than terminate and the thread 
denoted by D will become inactive. A thread becomes inactive if no more 
basic actions are performed, but it does not terminate. 

The inaction constant, the termination constant and the postcondi- 
tional composition operators are adopted from BTA. Counterparts of the 
probabilistic composition operators are found in most probabilistic process 
algebras that offer probabilistic choices of the generative variety (see e.g. [2]). 

The axioms of prBTA are given in Table 3. In this table, 7 and p 
stand for arbitrary probabilities from P. Axiom T1 reflects that performing 
tau will always lead to the reply t and axioms prAl—prA4 express that 
probabilistic composition provides probabilistic choices of the generative 
variety (see [32]). From prA1 and prA4, we can derive both x +9 (y+o0 z) = z 
and («+0 y) +o z = z, and hence also x +0 (y+o z) = (x +o y) +0 z. This last 
equation can be immediately derived from prA2 as well because in meadows 
0/0 = 0. 

Axiom T1 is adopted from BTA. Counterparts of axioms prAl—prA3 are 
found in most probabilistic process algebras that offer probabilistic choices 


?In earlier work, the inaction constant is sometimes called the deadlock constant. 
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Table 3: Axioms of prBTA 


vditauby=adtauba Tl 
Et+ny=Yti-nz prAl 
Lr (y +p z) = (x ee y) t+r+p—m-p 2 prA2 
GB+_,t=2x prA3 
rt+iy=2 prA4 


of the generative variety (see e.g. [2]). However, in the process algebras 
concerned the probabilities 0 and 1 are excluded in probabilistic choices to 
prevent division by zero. Owing to this exclusion, axiom prA4 is lacking in 
these process algebras. 

Each closed prBTA term denotes a finite thread, i.e. a thread with 
a finite upper bound to the number of basic actions that it can perform. 
Infinite threads, i.e. threads without a finite upper bound to the number of 
basic actions that it can perform, can be described by guarded recursion. A 
guarded recursive specification over prBTA is a set of recursion equations 
E={X =tx | X €V}, where V is a set of variables of sort T and each tx 
is a prBTA term in which only variables from V occur and each occurrence 
of a variable in tx is in a subterm of the form t dab t’. We write V(£) for 
the set of all variables that occur on the left-hand side of an equation in E. 

We are only interested in models of prBTA in which guarded recursive 
specifications have unique solutions. A model of prBTA in which guarded 
recursive specifications have unique solutions is the projective limit model of 
prBTA. This model is constructed along the same line as the projective limit 
model of BTA presented in [15]. It is based on the view that two threads are 
identical if their approximations up to any finite depth are identical. The 
approximation up to depth n of a thread is obtained by cutting it off after 
it has performed n actions if it has not yet terminated or become inactive. 

We confine ourselves to the projective limit model of prBTA, which has 
an initial model of prBTA as a submodel, for the interpretation of prBTA 
terms. An outline of this model is given in Appendix A.1. In the sequel, 
we use the term probabilistic thread or simply thread for the elements of 
the carrier of the model. Regular threads, i.e. finite or infinite threads that 
can only be in a finite number of states, can be defined by means of a finite 
guarded recursive specification. 

We extend prBTA with guarded recursion by adding constants for 
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Table 4: Axioms for the guarded recursion constants 
(X|E) =(tx|E) if X=tx € E RDP 
E => X =(X|E) if X €V(E) RSP 


solutions of guarded recursive specifications and axioms concerning these 
additional constants. For each guarded recursive specification FE and each 
X € V(E), we add a constant standing for the unique solution of E for X 
to the constants of prBTA. The constant standing for the unique solution 
of EF for X is denoted by (X|E). Moreover, we use the following notation. 
Let t be a prBTA term and F be a guarded recursive specification. Then we 
write (t|E) for t with, for all X € V(E), all occurrences of X in t replaced 
by (X|F). We add the axioms for guarded recursion given in Table 4 to the 
axioms of prBTA. In this table, X, tx and EF stand for an arbitrary variable 
of sort T, an arbitrary prBTA term and an arbitrary guarded recursive 
specification, respectively. Side conditions are added to restrict the variables, 
terms and guarded recursive specifications for which X, tx and EF stand. 

The additional axioms for guarded recursion are known as the recursive 
definition principle (RDP) and the recursive specification principle (RSP). 
The equations (X|E) = (tx|E£) for a fixed F express that the constants 
(X|E) make up a solution of E. The conditional equations E > X = (X|E) 
express that this solution is the only one. 

In Section 6, we will use the notation ee | t; with 1<k<nand 
iL, M = 1 for right-nested probabilistic composition. The term $7", [mj] ti 
with 1 <k <n is defined by induction on n — k as follows: 


eel Ti ti = te ifk=n, 
Drink Mi) ti = the tae (icesil gl ti) if <n. 


The thread denoted by }>;"_,,[7;]t; will behave like the thread denoted by ty, 
with probability 7, and ... and like the thread denoted by t, with proba- 
bility 7. 


4 Interaction of Threads with Services 


Services are objects that represent the behaviours exhibited by components of 
execution environments of instruction sequences at a high level of abstraction. 
A service is able to process certain methods. The processing of a method 
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may involve a change of the service. At completion of the processing of a 
method, the service produces a reply value. Execution environments are 
considered to provide a family of uniquely-named services. A thread may 
interact with the named services from the service family provided by an 
execution environment. That is, a thread may perform a basic action for the 
purpose of requesting a named service to process a method and to return a 
reply value at completion of the processing of the method. In this section, 
we extend prBTA with services, service families, a composition operator for 
service families, an operator that is concerned with this kind of interaction, 
and a general operator for abstraction from the internal action tau. 

In SFA, the algebraic theory of service families introduced below, it 
is assumed that a fixed but arbitrary set M of methods has been given. 
Moreover, the following is assumed with respect to services: 


e asignature ig has been given that includes the following sorts: 


— the sort S of services; 


— the sort B of Boolean values; 
and the following constants and operators: 


— the empty service constant 6:— S; 
— the reply constants t,f : > B; 
— for each m € M, the derived service operator xe :S—-S; 


— for each m € M and z € P, the service reply operator 07,:S — B; 
e aminimal “s-algebra S has been given in which the following holds: 

Stet: 

— Anem (an (8) =9 + Aner Om(s) = f); 


= mem NapeP (o7,(s) =ta om(s) =t>T= p)- 


The intuition concerning an and 07, is that on a request to service s 
to process method m: 


e if o7,(s) =t, s processes m, produces the reply t with probability 7 
and the reply f with probability 1 — 7, and then proceeds as 32,(s); 


e if of (s) =f for each m € P, s is not able to process method m and 
proceeds as 6. 
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The empty service 6 itself is unable to process any method. A service is fully 
deterministic if, for all m, for all s, 97,(s) =t only if a € {0, 1}. 

The assumptions with respect to services made above are the ones made 
before for the non-probabilistic case in e.g. [15] adapted to the probabilistic 
case. 

It is also assumed that a fixed but arbitrary set F of foci has been 
given. Foci play the role of names of services in a service family. 

SFA has the sorts, constants and operators from “ig and in addition 
the sort SF of service families and the following constant and operators: 


e the empty service family constant — :— SF; 


e for each f € F, the unary singleton service family operator f._:S > 
SF; 


e the binary service family composition operator _@_:SF x SF > SF; 
e for each F C F, the unary encapsulation operator Or : SF > SF. 


We assume that there are infinitely many variables of sort S, including s, 
and infinitely many variables of sort SF, including u,v,w. Terms are built 
as usual in the many-sorted case (see e.g. [30, 34]). We use prefix notation 
for the singleton service family operators and infix notation for the service 
family composition operator. 

The service family denoted by 0) is the empty service family. The service 
family denoted by a closed term of the form f.t consists of one named service 
only, the service concerned is the service denoted by t, and the name of 
this service is f. The service family denoted by a closed term of the form 
t@t’ consists of all named services that belong to either the service family 
denoted by t or the service family denoted by t’. In the case where a named 
service from the service family denoted by ¢ and a named service from the 
service family denoted by t’ have the same name, they collapse to an empty 
service with the name concerned. The service family denoted by a closed 
term of the form Op(t) consists of all named services with a name not in F’ 
that belong to the service family denoted by t. 

The axioms of SFA are given in Table 5. In this table, f stands for an 
arbitrary focus from F and F stands for an arbitrary subset of F. These 
axioms simply formalize the informal explanation given above. 

The constants, operators, and axioms of SFA were presented for the 
first time in [14]. 
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Table 5: Axioms of SFA 


u@b=u SFC1  dr(0) = SFE1 
udbv=veu SFC2 Or(f.s) = if fer SFE2 
(u@v)@w=u8(vew) SFC3 a ie sit fe Fk SFE3 
fs@f.s' =f. SFC4 Or(u@ v) = Or(u) @ Or(v) SFE4 
Table 6: Axioms for the use operator 
D/u=D prU1 
S/u=S prU2 
(tauo x) /u=tauo (x / wu) prU3 
(xd f.mb y)/ Au) = (@/ Apu) Ifme [Olu u)) prU4 
(ai f.mb y) / (ft Apy(u)) = tauo ((@ +n y) / (f-gat ® A py(u))) 
if on (t = prU5 
(xidfmby)/ (ft Off}(u)) = tauo D if A,ep Om(t) =f prué 
(c+ny) /u=(@/U) +r (y/u) prU7 


Table 7: Axioms for the abstraction operator 


Ttau(S) = S TA1 
Trau(D) = TA2 
Ttau(tau o = Tau (2) TA3 
Trau(x J f.mE y) = Trau(v) I fm© tau(y) TA4 
Trau(@ +n Y) = Ttau(@) + Trau(Y) TA5 


For the set A of basic actions, we now take {f.m | f © F,m € M}. 
Performing a basic action f.m is taken as making a request to the service 
named f to process method m. 


We combine prBTA with SFA and extend the combination with the 
following operators: 


e the binary use operator _ /_:T x SF > T; 
e the unary abstraction operator Tray: T > T; 


and the axioms given in Tables 6 and 7, and call the resulting theory prT Aig. 
In these tables, f stands for an arbitrary focus from F, m stands for an 
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arbitrary method from M, 7 stands for an arbitrary probability from P, and 
t stands for an arbitrary term of sort S. The axioms formalize the informal 
explanation given below. We use infix notation for the use operator. 

The thread denoted by a closed term of the form t / t’ is the thread 
that results from processing the method of each basic action performed by 
the thread denoted by t by the service with the focus of the basic action as 
its name in the service family denoted by t’ each time that a service with 
the name in question really exists and as long as the method concerned can 
be processed. In the case that a service with the name in question does 
not really exist, the processing of a method is simply skipped (axiom prU4). 
When the method of a basic action performed by the thread can be processed 
by the named service, that service changes in accordance with the method 
and the thread is affected as follows: the basic action is turned into the 
internal action tau and then an internal choice is made between the two ways 
to proceed according to the probabilities of the two possible reply values 
in the case of the method concerned (axiom prU5). When the method of 
a basic action performed by the thread cannot be processed by the named 
service, inaction occurs after the basic action is turned into the internal 
action tau (axiom prU6). 

The thread denoted by a closed term of the form tau(t) is the thread 
that results from concealing the presence of the internal action tau in the 
thread denoted by t. 

The use operator and the abstraction operator are adopted from the 
extension of BTA with thread-service interaction presented before in [15]. 
With the exception of axiom prU7, the axioms for the use operator are 
the ones given before for the non-probabilistic case in [15] adapted to the 
probabilistic case. With the exception of axiom TA5, the axioms for the 
abstraction operator are adopted from the extension of BTA with thread- 
service interaction presented in [15]. Axiom prU7 and TA5 are new. 

The following theorem concerns the question whether the operators 
added to prBTA in prTAt,; are well axiomatized by the equations given in 
Tables 6 and 7 in the sense that these equations allow the projective limit 
model of prBTA to be expanded to a projective limit model of prTA¢gj. 


Theorem 1 The operators added to prBTA are well axiomatized, 1.e.: 


(a) for all closed prTAtsi terms t of sort T, there exists a closed prBTA 
term t' such that t =t' is derivable from the axioms of prTAtsi; 


(b) for all closed prBTA terms t and t', t =t! is derivable from the axioms 
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of prBTA ifft =U is derivable from the axioms of prTAtsi; 


(c) for all closed prTAts; terms t of sort T, closed prTAtsi terms t’ of sort 
SF andn€N, m,(t /t’) = tm(tn(t) /t’) is derivable from the axioms 
of prTAts; and the following axioms for the unary operators Tp, (which 
are explained below):? 


moe) = D-, 
Tm(D)=D, mMmyi(e dab y) =m, (x) Jab my) , 
Tri(S) =S, Tnsi(L te Y) = Wn41(£) +n Tri (y) - 


where n stands for an arbitrary natural number from N, a stands for 
an arbitrary basic action from Ajay, and m is an arbitrary probability 


from P; 


(d) for all closed prTAts, terms t of sort T andn EN, there exists ak € N 
such that, for allm EN with m > k, mn(Ttau(t)) = tn (Trau(tm(t))) és 
derivable from the axioms of prTAts; and the axioms for the operators 
Tm introduced in part (c). 


Proof: Part (a) is easily proved by induction on the structure of t, and 
in the case where t is of the form ft; / tg and the case where t is of the form 
Trau(t1) by induction on the structure of t;. In the subcase where t is of the 
form t, Jat} / te, we need the easy to prove fact that, for each f € F and 
closed term ¢ of sort SF, either t = O,(t) is derivable or there exists a closed 
term t’ of sort S such that t = f.t’ @ Of(t) is derivable. 

In the case of part (b), the implication from left to right follows imme- 
diately from the fact that the axioms of prBTA are included in the axioms 
of prTAts;. The implication from right to left is not difficult to see either. 
From the axioms of prTAts; that are not axioms of prBTA, only axioms 
prU1, prU2, prU6, TA1, and TA2 may be applicable to a closed prBTA 
term t. If one of them is applicable, then the application yields an equation 
t =t' in which ?¢’ is not a closed prBTA term. Moreover, only the axiom 
whose application yielded t = t’ is applicable to t’, but now in the opposite 
direction. Hence, applications of axioms of prTAis; that are not axioms of 
prBTA do not yield additional equations. 


3Holding on to the usual conventions leads to the double use of the symbol 7: without 
subscript it stands for a probability value and with subscript it stands for a projection 
operator. 
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By part (a), it is sufficient to prove parts (c) and (d) for all closed 
prBTA terms t. Parts (c) and (d) are easily proved by induction on the 
structure of t, and in each case by case distinction between n = 0 and n > 0. 
In the proof of both parts, we repeatedly need the easy to prove fact that, 
for all closed prBTA terms t and n €N, a,(t) = m(mn(t)) is derivable. In 
the proof of part (c), in the case where t is of the form t; Ja tz, we need 
again the fact mentioned at the end of the proof outline of part (a). 


The unary operators 7, are called projection operators. The thread denoted 
by a closed term of the form 7,,(t) is the thread that differs from the thread 
denoted by ¢ in that it becomes inactive as soon as it has performed n 
actions. 

By parts (a) and (b) of Theorem 1, we know that the carrier of the 
projective limit model of prBTA can serve as the carrier of a projective 
limit model of prTA;,; if it is possible to define on this carrier operations 
corresponding to the added operators such that the added equations are 
satisfied. By parts (c) and (d) of Theorem 1, we know that it is possible 
to do so. Thus, we know that the projective limit model of prBTA can be 
expanded to a projective limit model of prTA¢g. 

The actual expansion goes along the same lines as in the non-probabilistic 
case (see [15]). An outline of this expansion is given in Appendix A.2. Because 
the depth of the approximations of a thread may decrease by abstraction, we 
do not have that, for all n and t, a (ttau(t)) = 7n(Ttau(7n(t))) is derivable. 
However, it is sufficient that there exists a k € N such that, for all m € N 
with m > k, t(Ttau(t)) = 7n(Ttau(#m/(t))) is derivable (see also [15]). 


5 A Probabilistic Program Notation 


In this section, we introduce the probabilistic program notation prPGLB 
(probabilistic PGLB). In [6], a hierarchy of program notations rooted in 
program algebra is presented. One of the program notations that belong to 
this hierarchy is PGLB (ProGramming Language B). This program notation 
is close to existing assembly languages and has relative jump instructions. 
The program notation prPGLB is PGLB extended with probabilistic instruc- 
tions that allow probabilistic choices to be made during the execution of 
instruction sequences. 

In prPGLB, it is assumed that a fixed but arbitrary non-empty finite 
set 2l of basic instructions has been given. The intuition is that the execution 
of a basic instruction in most instances modifies a state and in all instances 
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produces a reply at its completion. The possible replies are the values t 
and f, and the actual reply is in most instances state-dependent. Therefore, 
successive executions of the same basic instruction may produce different 
replies. The set 2 is the basis for the set of all instructions that may appear 
in the instruction sequences considered in prPGLB. These instructions are 
called primitive instructions. 

The program notation prPGLB has the following primitive instructions: 


e for each a € 2, a plain basic instruction a; 

e for each a € 2, a positive test instruction +a; 

e for each a € &, a negative test instruction —a; 

e for each 7 € P, a plain random choice instruction %(7); 

e for each 7 € P, a positive random choice instruction +%(7); 
e for each 7 € P, a negative random choice instruction —%(7); 
e for each 1 € N, a forward jump instruction #1; 

e for each 1 € N, a backward jump instruction \#l; 

e a termination instruction !. 


A prPGLB instruction sequence has the form uj, ;...; ug, where uy,..., Uz 
are primitive instructions of prPGLB. 

On execution of a prPGLB instruction sequence, these primitive in- 
structions have the following effects: 


e the effect of a positive test instruction +a is that basic instruction a is 
executed and execution proceeds with the next primitive instruction if 
t is produced and otherwise the next primitive instruction is skipped 
and execution proceeds with the primitive instruction following the 
skipped one — if there is no primitive instruction to proceed with, 
execution becomes inactive; 


e the effect of a negative test instruction —a is the same as the effect of 
+a, but with the role of the value produced reversed; 


e the effect of a plain basic instruction a is the same as the effect of +a, 
but execution always proceeds as if t is produced; 
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e the effect of a positive random choice instruction +%(7) is that first t 
is produced with probability 7 and f is produced with probability 1—a 
and then execution proceeds with the next primitive instruction if t is 
produced and otherwise the next primitive instruction is skipped and 
execution proceeds with the primitive instruction following the skipped 
one — if there is no primitive instruction to proceed with, execution 
becomes inactive; 


e the effect of a negative random choice instruction —%(7) is the same as 
the effect of +%(7), but with the role of the value produced reversed; 


e the effect of a plain random choice instruction %(7) is the same as the 
effect of +%(7), but execution always proceeds as if t is produced; 


e the effect of a forward jump instruction #1 is that execution proceeds 
with the [** next primitive instruction — if 1 equals 0 or there is no 
primitive instruction to proceed with, execution becomes inactive; 


e the effect of a backward jump instruction \#1 is that execution proceeds 
with the /*" previous primitive instruction — if J equals 0 or there is no 
primitive instruction to proceed with, execution becomes inactive; 


e the effect of the termination instruction ! is that execution terminates. 


With the exception of the random choice instructions, the primitive 
instructions of prPGLB are adopted from PGLB. Counterparts of the 
random choice instructions are especially found in probabilistic extensions 
of Dijkstra’s guarded command language (see e.g. [21]). 

In order to describe the behaviours produced by prPGLB instruction 
sequences on execution, we need a service that behaves as a random Boolean 
generator. This service is able to process the following methods: 


e for each 7 € P, a get random Boolean method get(7). 


For each 7 € P, the method get(7) can be explained as follows: the service 
produces the reply t with probability 7 and the reply f with probability 
1-7. 

For the carrier of sort S, we take the set {RBG,6}. For each m € M 


and 7 € P, we take the functions a and @7, such that: 


agertay (RBG) = RBG, gjq(RBG) = dif me {get(n) | EP}, 


Orin (RBG) =t, ot, (RBG) =f if m4 get(z). 
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Table 8: Defining equations for the thread extraction operation 


1,U,3..-3 Ur] =D if 7>l<i<k 
i,U1;..-3Ue| =aolittl,ur;...3 up| if u; =a 

i,Uy;...3 Up] = lit l,ur;...; uz] dab le+2,u,;...5 up| if u; = +a 
i,Ur 3... UR] = |é+2,u13...; ug] dab je+ 1jur;...3 uel if u; = —a 
i,U1 3... Ug| = rbg.get(7) oli +1,u1;...3 uel if uw; = %(7) 
i,U1;---3Ue| = lit l,ur;...; ug] drbg.get(a) & |o+2,u1;...3 ug| if us = +%(7) 
i,U13-.-3UR| = |i + 2,u13...; ug] Irbg.get(a) & l¢+1,ur;...3 ug| if uz = —%(7) 
t,U1 5... Ue| = li tlur;...5 ur if u; = #1 
i,U1;---3Ue| = |i~lour;...5 up| if u; = \#l 
i,U,;-..3;Ur| =S if u; =! 
Moreover, we take the name RBG used above to denote the element of the 


carrier of sort S that differs from 6 for a constant of sort S. It is assumed 
that get(7) € M for each 7 € P. It is also assumed that rbg € F. 

The behaviours produced by prPGLB instruction sequences on execution 
are considered to be probabilistic threads, with the basic instructions taken as 
basic actions. The thread extraction operation |_| defines, for each prPGLB 
instruction sequence, the behaviour produced on its execution. The thread 
extraction operation is defined by 


leey fos $ tty] = Tau (11; Wa fos fF ig| f PHE-RBGE) ; 
where |_,_| is defined by the equations given in Table 8 (for a € &, 7 € P, 
and 1,i € N)* and the rule that |i, ui ;...; uz| = D if uj is the beginning of 
5 


an infinite jump chain. 

Ifl<i<k, ttau(|t,u1;..-;ug| /rbg. RBG) can be read as the behaviour 
produced by wu; ;...; uz on execution if execution starts at the i*” primitive 
instruction. By default, execution starts at the first primitive instruction. 

In [12], we proposed several kinds of probabilistic jump instructions 
(bounded and unbounded, according to uniform probability distributions and 
geometric probability distributions). The meaning of instruction sequences 
from extensions of prPGLB with these kinds of probabilistic instructions 
can be given by a translation to instruction sequences from prPGLB. 


“We write i~ j for the monus of i and j, ie.i~j =i-jifi> j andi+j=0 
otherwise. 
°This rule can be formalized, cf. [11]. 
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6 Probabilistic Strategic Interleaving of Threads 


Multi-threading refers to the concurrent existence of several threads in a 
program under execution. It is the dominant form of concurrency provided 
by contemporary programming languages such as Java [20] and C# [22]. 
Theories of concurrent processes such as ACP [3], CCS [26], and CSP [23] 
are based on arbitrary interleaving. In the case of multi-threading, more 
often than not some interleaving strategy is used. We abandon the point of 
view that arbitrary interleaving is the most appropriate abstraction when 
dealing with multi-threading. The following points illustrate why we find 
difficulty in taking that point of view: (a) whether the interleaving of certain 
threads leads to inactiveness depends on the interleaving strategy used; 
(b) sometimes inactiveness occurs with a particular interleaving strategy 
whereas arbitrary interleaving would not lead to inactiveness, and vice versa. 
Demonstrations of (a) and (b) are given in [8] and [7], respectively. 

The probabilistic features of prBTA allow it to be extended with inter- 
leaving strategies that correspond to probabilistic scheduling algorithms. In 
this section, we take up the extension of prBTA with such probabilistic inter- 
leaving strategies. The presented extension covers an arbitrary probabilistic 
interleaving strategy that can be represented in the way that is explained 
below. 

We write Aj, for Atay U {nt,S,D} and we write H for (N; x N,)*.® 
The elements of H are called interleaving histories. The intuition concerning 
interleaving histories is as follows: if the jth pair of an interleaving history 
is (i,n), then the 7th thread got a turn in the jth interleaving step and after 
its turn there were n threads to be interleaved. 

With regard to interleaving of threads, it is assumed that the following 
has been given: 


e aset S; 


e an indexed family of functions (on),c¢xj, where, for each n € Nj, 
On:HxS-— ({l,...,n}->P); 

e an indexed family of functions (Jn),¢xj, where, for each n € Nj, 
Ui TEMS Xl cng XA SS: 


The elements of S' are called control states, oy is called an abstract scheduler 
(for n threads), and J, is called a control state transformer (for n threads). 
The intuition concerning S, (on) cn,» aNd (Un) nen, i8 as follows: 


®We write N; for the set {n €¢ N| n > 1} of positive natural numbers. 
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e the control states from S encode data relevant to the interleaving 
strategy (e.g., for each of the threads being interleaved, the set of all 
foci naming services on which it currently keeps a lock); 


e for each h € H and s € S, o,,(h,s) is the probability distribution on n 
threads that assigns to each of the threads the probability that it gets 
the next turn after history h in state s; 


e foreachheEH,s€S,i€{1,...,n}, anda € Aj,,, Un(h, 5,7, a) is the 
control state that arises after history h in state s on the ith thread 
doing a. 


Thus, S, (On)nen,» and (Jn) nen, Provide a way to represent a probabilistic 
interleaving strategy. The abstraction of a scheduler used here is essentially 
the notion of a scheduler defined in [29]. 

We extend prBTA with the following operators: 


e the ternary forking postconditional composition operator _ <nt(_)&_: 
Tx Tx ToT; 


e for each n € Ny, h € H, and s € S, the n-ary strategic interleaving 
operator ||F .:T x ---x TT; 


e for each n,i € Ny with i <n, h EH, and s € S, the n-ary positional 
strategic interleaving operator ||,,:T x --- x T > T; 


e the unary deadlock at termination operator Sp :T > T; 


and the axioms given in Table 9,’ and call the resulting theory prTAg;. In 
this table, n and 7 stand for arbitrary numbers from N, with 7 < n, h stands 
for an arbitrary interleaving history from H, s stands for an arbitrary control 
state from S$, a stands for an arbitrary basic action from Atay, and 7 stands 
for an arbitrary probability from P. 

The forking postconditional composition operator has the same shape as 
the postconditional composition operators introduced in Section 3. Formally, 
no basic action is involved in forking postconditional composition. However, 
for an operational intuition, in t <nt(t’)& t’, nt(t”) can be considered a 
thread forking action. It represents the act of forking off thread t’’. Like 


"We write () for the empty sequence, d for the sequence having d as sole element, and 
aa’ for the concatenation of sequences a and a’. We assume that the usual identities, 
such as () ~@=a and (a%a’) 7a" =ar(a' a"), hold. 
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Table 9: Axioms for strategic interleaving 


IRe(er-++1%n) = Decalon(hs 8)(@] Ip (@1,-+-12n) prSI1 
les D)=D prsl2 
I "(n1, 225 %j-1,D, 2j41,---,2n41) = 

Sv A G2),0 41 (hosts) (ig thts Peay Ce tad) prSI3 
Iie S)=S prsl4 
iy *(a4, vee B51, 9, Dig, +++, Engi) = 

Weim) On-ga (thys,i,8) ELs + + Pi 1s Tips +++ E41) prsl5 
Ile (21s ++ @e-1, 0) Snt(e) Bf, wey, 25 0n) = 

tau o REA wor aera (U1,.--,€i-1, Ui, Viga,---, Xn, x) prSl6 
sles L1,-+-,i-1,L; Jal vf, vi41,.--,2n) = 

| AGH) athe ee) (21, -+- 424-1, Bj, Bi41,+++, En) 

dab 

Wie Céyn) pn (Ryséa) (P19 ++ «1 Pi-1y Ly), Lip 15-5 Ln) prsl7 
ILS (21, 6 Bi, UE te OY Bid, . En) = 

Wes (21, ty Cie 0, Ciao Ca) 

+r 

Jig ons BR Pe, diag ey) prsI8 
Sp(D) =D DT1 
Sp(S) =D DT2 
Sp(a nt(z) > y) = Sp(x) <nt(Sp(z)) & Sp(y) DT3 
Sp( Jab y) = Sp(x) Jab Sp(y) DT4 
Sp(t +x y) = Sp(x) +x Sp(y) DT5 


with real basic actions, a reply is produced upon performing a thread forking 
action. 

The thread denoted by a closed term of the form ||f; ,(t1,...,tn) is the 
thread that results from interleaving of the n threads denoted by f,...,tn 
after history A in state s, according to the interleaving strategy represented 
by S, (On) nen,» and (Un)nen,- By the interleaving, a number of threads is 
turned into a single thread. In this single thread, the internal action tau 
arises as a residue of each thread forking action encountered. Moreover, the 
possibility that f is produced as a reply upon performing a thread forking 
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action is ignored. This reflects our focus on the case where capacity problems 
with respect to thread forking never arise. 


The positional strategic interleaving operators are auxiliary operators 
used to axiomatize the strategic interleaving operators. The role of the 
positional strategic interleaving operators in the axiomatization is similar to 
the role of the left merge operator found in process algebra (see e.g. [3]). The 
deadlock at termination operator is an auxiliary operator as well. It is used 
in axiom prSI8 to express that in the event of inactiveness of one thread, 
the whole become inactive only after all other threads have terminated or 
become inactive. The thread denoted by a closed term of the form Sp(t) 
is the thread that results from turning termination into inactiveness in the 
thread denoted by t. 


The forking postconditional composition operator and the deadlock 
at termination operator are adopted from earlier extensions of BTA with 
strategic interleaving. The strategic interleaving operators and the positional 
strategic interleaving operators are not adopted from earlier extensions of 
BTA with strategic interleaving. To our knowledge, no probabilistic process 
algebras with counterparts of these operators has been proposed until now. 
Axioms prSIl—prSI8 and DT5 are new. Axioms DT1—DT4 are adopted 
from the extension of BTA with strategic interleaving and thread forking 
presented in [13]. 


Consider the case where S' is a singleton set, for each n € Nj, oy is 
defined by 


Gal 3a) =A i ee 

on(),8)(4) = 0 fe¢t, 

On(h* (j,n),s)(4) =1 ift=(G+1) modn, 
On(h (i,n),s)(i) =0 ift A (GV +1) modn 


and, v7, is defined by 
Valk; 81,0) =s. 


In this case, the interleaving strategy corresponds to the round-robin schedul- 
ing algorithm. This deterministic interleaving strategy is called cyclic inter- 
leaving in our earlier work on interleaving strategies (see e.g. [8]). In the 
current setting, an interleaving strategy is deterministic if, for all n, for all 
h, s, and 2, on(h, s)(z) € {0,1}. In the case that S and ¥,, are as above, but 
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On is defined by 


Grn 8) = 1 i=. 
on((),8)(8) =0 fil, 
Gel he Gen), 3)G) = 1/n- tin, 
CATS SieyeH Oo. eS i, 


the interleaving strategy is a purely probabilistic one. The probability 
distribution used is a uniform distribution. 

More advanced strategies can be obtained if the scheduling makes use 
of the whole interleaving history and/or the control state. For example, 
the individual lifetimes of the threads to be interleaved and their creation 
hierarchy can be taken into account by making use of the whole interleaving 
history. Individual properties of the threads to be interleaved that depend 
on the actions performed by them can be taken into account by making use 
of the control state. By doing so, interleaving strategies are obtained which, 
to a certain extent, can be affected by the threads to be interleaved. 

Henceforth, we will write prBTA,; for prBTA extended with the forking 
postconditional composition operator. The projective limit model of prBTAyt 
is constructed like the projective limit model of prBTA. An outline of the 
projective limit model of prBTAn¢ is given in Appendix A.3. 

The following theorem concerns the question whether the operators 
added to prBTAn¢ are well axiomatized by the equations given in Table 9 in 
the sense that these equations allow the projective limit model of prBTAnt 
to be expanded to a projective limit model of prTAg;. 


Theorem 2 The operators added to prBTA,, are well axiomatized, i.e.: 
(a) for all closed prTAg, terms t, there exists a closed prBTA,, term t’ 


such that t = t' is derivable from the axioms of prTAsi; 


(b) for all closed prBTA,, terms t and t', t = t' is derivable from the 
axioms of prBTAy iff t =t' is derivable from the axioms of prT Ag; 


(c) for allm,i E Ny withi<m,h eH, s € S, closed prTAgi terms ti, 
---ytm and n EN, my(l7,(t1,--- tm) = Tres (™n(t1),---,n(tm))) 


and Tn (Ipe (t1,---,tm)) = tm (Lee (t(t1),---,7n(tm))) are derivable 
from the axioms of prTAgi, the axioms for the operators tT, introduced 
in Theorem 1, and the following axiom: 


Tnr4i( Int(z) By) = m4i(x) Int(tnyi(z)) © mi (y) ; 
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where n stands for an arbitrary natural number from N; 


(d) for all closed prTAgi terms t andn EN, mn(Sp(t)) = mn(Sp(an(t))) is 
derivable from the axioms of prTA,j, the axioms for the operators Tn 
introduced in Theorem 1, and the axiom introduced in part (c). 


Proof: Part (a) is straightforwardly proved by induction on the structure 
of t, and then in the case where t is of the form Wes, ...,tn) by induction 
on the sum of the lengths of t1,...,t, and case distinction on the structure of 
¢; and in the case where ¢ is of the form Sp(¢1) by induction on the structure 
of t;. The proof of the case where t is of the form ||}";(ti,..-,tn) reveals 
that occurrences of the forking postconditional composition operator get 
eliminated if t is of that form. 

In the case of part (b), the implication from left to right follows im- 
mediately from the fact that the axioms of prBTA,; are included in the 
axioms of prTA,;. The implication from right to left is not difficult to see 
either. From the axioms of prTA,; that are not axioms of prBTAyt, only 
axioms prSI2, prSI4, DT1, and DT2 may be applicable to a closed prBTAyt 
term t. If one of them is applicable, then the application yields an equation 
t=?’ in which ¢’ is not a closed prBTA,; term. Moreover, only the axiom 
whose application yielded t = t' is applicable to t’, but now in the opposite 
direction. Hence, applications of axioms of prTA,; that are not axioms of 
prBTAnt do not yield additional equations. 

By part (a), it is sufficient to prove part (c) for all closed prBTA,+ terms 
tj,...,tm. The derivability of the second equation is straightforwardly proved 
by induction on the sum of the lengths of t),...,¢, and case distinction on 
the structure of t;, and in each case by case distinction between n = 0 and 
n > 0. The derivability of the first equation now follows immediately using 
the axioms of the operators 7. In the proofs, we repeatedly need the easy to 
prove fact that, for all closed prBTA,; terms t and n € N, m,(t) = m(7n(t)) 
is derivable. 

By part (a), it is sufficient to prove part (d) for all closed prBTAnt 
terms t. Part (d) is easily proved by induction on the structure of t, and 
in each case by case distinction between n = 0 and n > 0. In the proof, we 
need again the fact mentioned at the end of the proof outline of part (c). 


By Theorem 2, we know that the projective limit model of prBTAnt 
can be expanded to a projective limit model of prTA,;. An outline of this 
expansion is given in Appendix A.3. 
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7 Concluding Remarks 


We have added probabilistic features to BTA and its extensions with thread- 
service interaction and strategic interleaving. Thus, we have paved the 
way for rigorous investigation of issues related to probabilistic computation 
thinking in terms of instruction sequences and rigorous investigation of 
probabilistic interleaving strategies. As an example of the use of prTAtsi, the 
probabilistic version of the extension of BTA with thread-service interaction, 
we have added the most basic kind of probabilistic instructions proposed 
in [12] to a program notation rooted in PGA and have given a formal 
definition of the behaviours produced by the instruction sequences from the 
resulting program notation under execution with the help of prTA¢g. 

We enumerate neither the numerous issues relating to probabilistic 
computation in areas such as computability and complexity of computational 
problems, efficiency of algorithms, and verification of programs that could 
be investigated thinking in terms of instruction sequences nor the numerous 
probabilistic scheduling algorithms that could be investigated in prTA,;, 
the probabilistic generalization of the extensions of BTA with strategic 
interleaving. 

However, we mention interesting options for future work that are of a 
different kind: (a) clarifying analyses of relevant probabilistic algorithms, 
such as the Miller-Rabin probabilistic primality test [27], using probabilistic 
instruction sequences or non-probabilistic instruction sequences and proba- 
bilistic services and (b) explanations of relevant quantum algorithms, such 
as Shor’s integer factorization algorithm [31], by first giving a clarifying 
analysis using probabilistic instruction sequences or non-probabilistic in- 
struction sequences and probabilistic services and then showing how certain 
services involved in principle can be realized very efficiently with quantum 
computing. 

Moreover, we believe that the development of program notations for 
probabilistic computation is a useful preparation for the development of 
program notations for quantum computation later on. The development 
of program notations for quantum computation that have their origins 
in instruction sequences could constitute a valuable complement to other 
developments with respect to quantum computation, which for the greater 
part boil down to mere adaptation of earlier developments with respect to 
classical computation to the potentialities of quantum physics (see e.g. [19]). 

In fact, prBTA is a process algebra tailored to the behaviours produced 
by probabilistic instruction sequences under execution. Because prBTA 
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offers probabilistic choices of the generative variety (see [32]) and no non- 
deterministic choices, it is most closely related to the probabilistic process 
algebra prBPA presented in [2]. To our knowledge, thread-service interaction 
and strategic interleaving as found in prTA;,; and prTA,; are mechanisms 
for interaction and concurrency that are quite different from those found 
in any theory or model of processes. This leaves almost nothing to be said 
about related work. 


The very limited extent of related work is due to two conscious choices: 
(a) the limitation of the scope to behaviours produced by programs under 
execution and (b) the limitation of the scope to the form of interleaving 
concurrency that is relevant to the behaviours of multi-threaded programs 
under execution. However, something unexpected remains to be mentioned 
as related work, to wit the work on security of multi-threaded programs 
presented in [29]. Probabilistic strategic interleaving as found in prTAg 
is strongly inspired by the scheduler-dependent semantics of a simple pro- 
gramming language with support for multi-threading that we found in that 
paper. 


It is noteworthy to mention something about the interpretation of 
prBTA, prTA¢si, and prTA,; in a probabilistic version of a general process 
algebra such as ACP, CCS or CSP. It is crucial that probabilistic choice 
of the generative variety, non-deterministic choice, asynchronous parallel 
composition, abstraction from internal actions, and recursion are covered by 
the process algebra used for the purpose of interpretation. General process 
algebras that cover all this are rare. To our knowledge, pACP,, [1] is the only 
one that has been elaborated in sufficient depth. However, interpretation of 
prBTA, prT Aig, and prTA,; in pACP, seems impossible to us. The presence 
of asynchronous parallel composition based on arbitrary interleaving in 
pACP,, precludes the proper form of abstraction from internal actions for 
interpretation of prBTA, prTAtsi, and prTAgj. 
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A Projective Limit Models 


In this appendix, we outline the construction of projective limit models for 
prBTA, prTA;si, and prTA,;. In these model, which covers finite and infinite 
threads, threads are represented by infinite sequences of finite approximations. 
Guarded recursive specifications have unique solutions in these models. We 
denote the interpretations of constants and operators in the models by the 
constants and operators themselves. 


A.1 Projective Limit Model of prBTA 


We will write Z(prBTA) for the initial model of prBTA and T(prBTA) for 
the carrier of Z(prBTA). T(prBTA) consists of the equivalence classes of 
closed prBTA terms with respect to derivable equality. In other words, 
modulo derivable equality, T(prBTA) is the set of all closed prBTA terms. 
Henceforth, we will identify closed prBTA terms with their equivalence class 
where elements of T(prBTA) are concerned. 

Each element of T(prBTA) represents a finite thread, i.e. a thread with 
a finite upper bound to the number of actions that it can perform. Below, 
we will construct a model that covers infinite threads as well. In preparation 
for that, we define for all n a function that cuts off threads from T(prBTA) 
after n actions have been performed. 

For each n € N, we define the projection function tm, : T(prBTA) > 
T (prBTA), inductively as follows: 


Mao Se wat teet )=a) deb ae 
Tn+1(D) =D, Tpit +7 i) = Tn+1(t) +r aa ale) ; 


For t € T(prBTA), z(t) is called the nth projection of t. It can be thought 
of as an approximation of t. If 7,(t) 4 t, then 7,41(t) can be thought of 
as the closest better approximation of t. If 7,,(t) = t, then m,41(t) = t as 
well. For all n € N, we will write T”(prBTA) for {7,,(t) | t € T(prBTA)}. 
Obviously, the projection functions defined above satisfy the axioms for the 
projection operators introduced in Theorem 1. 

In the projective limit model, which covers both finite and infinite 
threads, threads are represented by projective sequences, i.e. infinite se- 
quences (tn),,cxy of elements of T(prBTA) such that t, ¢ T”(prBTA) and 
tn = Tr(tn41) for all n € N. In other words, a projective sequence is a 
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sequence of which successive components are successive projections of the 
same thread. The idea is that any infinite thread is fully characterized by the 
infinite sequence of all its finite approximations. We will write T°°(prBTA) 
for the set of all projective sequences over T(prBTA), i.e. the set 


{(tr)nen | Anen (tn € T"(prBTA) A tn = Mm(tn41))} - 


The projective limit model I (prBTA) of prBTA consists of the follow- 
ing: 


e the set T°(prBTA), the carrier of the projective limit model; 
e an element of T°°(prBTA) for each constant of prBTA; 
e an operation on T™(prBTA) for each operator of prBTA; 


where those elements of T°°(prBTA) and operations on T°°(prBTA) are 
defined as follows: 


S = (n(S))nen » 

D = (t(D))nen » 

(tn) nen dab (tr nen = (T(tn Jab th) men ’ 
(tr nen +r (th) nen (tn(tn +2 th) men - 


It is straightforward to check that the constants are elements of 
T™(prBTA) and the operations always yield elements of T°(prBTA). It 
follows immediately from the construction of the projective limit model of 
prBTA that the axiom of prBTA forms a complete axiomatization of this 
model for equations between closed terms. 


A.2 Projective Limit Model of prTA;,; 


We will write Z(SFA) for the free SFA-extension of S and Z(prTAtsi) for 
the free prTA;,;-extension of S. 

From the fact that the signatures of Z°(prBTA) and Z(SFA) are 
disjoint, it follows, by the amalgamation result about expansions presented 
as Theorem 6.1.1 in [24] (adapted to the many-sorted case), that there 
exists a model of prBTA combined with SFA such that the restriction to the 
signature of prBTA is Z*°(prBTA) and the restriction to the signature of 
SFA is Z(SFA). 
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Let Z°(prBTA+SFA) be the model of prBTA combined with SFA 
referred to above. Then the projective limit model T° (prTAtsi) of prTAtsi 
is Z°(prBTA+SFA) expanded with the operations defined by 


(tn) men [S = (tnltn / S))nen ) 


Ttau((tn) nen) = (limp +00 Tn(Ttau(th))) ren 


as interpretations of the additional operators of prTA;.j. On the right-hand 
side of these equations, the symbols / and 7a, denote the interpretation of 
the operators / and 7tay in Z(prTAts;). In the second equation, the limit is 
the limit with respect to the discrete topology on T(prBTA). 

It is straightforward to check that the operations with which Z~ (prBTA) 
is expanded always yield elements of T°°(prBTA). It follows immediately 
from the construction of Z*(prTA;s;) and Theorem 1 that Z°°(prTAzsi) is 
really a projective limit model of prT Aisi. 


A.3  Projective Limit Model of prTA,; 


We will write Z(prBTA,¢) for the initial model of prBTA,; and T(prBTAnt) 
for the carrier of Z(prBTA,;). Moreover, we will write Z(prTA,i) for the 
initial model of prTAgj. 

With the projection functions 7, extended from T(prBTA) to 
T(prBTAnt) such that 


Tri(t Int(t”) © t’) = m4i(t) Int(tngi(t")) & mill’) , 


the projective limit model Z°(prBTAnt) of prBTAnt is constructed from 
Z(prBTA,,) like the projective limit model Z°°(prBTA) of prBTA is con- 
structed from Z(prBTA). The interpretation of the additional operator is 
the operation on T™(prBTA,;) defined as follows: 


(tin) nen J nt((ton) nen) > (inner = (in(tin a nt(t2n) b aa) een k 
The projective limit model I (prTAgi) of prTAgi is T° (prBTAnt) ex- 
panded with the operations defined by 


IIh,s((tndnens++> mn )nen) = (tn(Ilhs(tins--stmn))) nen 
I Gd ances Gali Gale Gute) 
Sp((tn)nen) = (m7 (Sp(tn)) nen 


240 J.A. Bergstra, C.A. Middelburg 


as interpretations of the additional operators of prTAsj. On the right-hand 
N,t 


side of these equations, the symbols nt(_)&, |lj,,, |L;,’,, and Sp denote the 
interpretation of the operators Int(_)>, [lj ,, ie and Sp in Z(prTA,j). 

It is straightforward to check that the operations with which 
TZ~(prBTAyt) is expanded always yield elements of T°°(prBTA;,). It fol- 
lows immediately from the construction of Z°(prTA,,) and Theorem 2 that 
T~(prTAgj) is really a projective limit model of prTAg;. 
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